PHISH LOCKERS OUT IN THE WILD

Transcription

1 PHISH LOCKERS OUT IN THE WILD August 2013 RSA researchers have been increasingly witnessing the activity of highly targeted Trojans, dubbed Phish Lockers, used at the hands of cybercriminals to steal credentials. The Trojans are deployed as a means to present online users with a phishing page that is generated by malware, while locking the desktop, hence the name. This type of malware is not defined as a banking Trojan in the traditional sense. It is basic malicious code that can manipulate certain actions on an infected PC, but it is not a rootkit or otherwise able to actively monitor online activity, keylog or perform web injections. Phish lockers were observed attacking banks in Latin America earlier this year, where local pharming is a very common attack method. However, the lockers are now starting to show up in new regions, attacking one or more banks at a time. INSIDE THE PHISH LOCKING ROOM Much like most banking Trojans, phish lockers are activated by trigger. When an infected user logs into a website contained on the malware s trigger list, the Trojan becomes active. However, unlike banking Trojans, phish lockers don t have a classic configuration file. Most of the information is hardcoded into the malware and therefore cannot be changed on the fly. The malware is compatible with all major browsers including Internet Explorer, Firefox, Chrome, and Opera. The first visible action that the user will see is the browser window being shut down, then the desktop s START button disappearing (a common occurrence with ransomware, for example). Based on the URL initially typed into the browser, the Trojan will pop-up a corresponding web form that looks exactly like legitimate web page, but is actually a phishing page. FRAUD REPORT

2 The phish locker malware usually comes with a few hardcoded web forms, each requiring a relevant set of credentials from infected bank customers. Usually, the information requested by the malware corresponds with phishing attacks targeting the particular bank. For example, if the bank uses out-of-band SMS for transaction verification, the form might have a request for the user s mobile number. Figure 1: Phish locker s web form pop-up requesting credit card information When banking Trojans infect user machines, they are present on the device and can log a user s keystrokes and steal documents, certificates, cookies and other elements dictated by the botmaster. Banking malware regularly sends logs of stolen information to its operator, using predefined domains as communication resources. Phish lockers on the other hand, are not designed to carry out such complex activity and use basic methods to transmit stolen data such as . In order to facilitate sending s from the infected PC, the malware s author programmed it to use Extended SMTP, predefining a sender and a few recipients that will act as a fallback mechanism in case the data gets intercepted or the mailbox blocked/closed for some reason. Yet another differentiator that separates banking Trojans from phish lockers is the mode of activity. While banking malware steals and listens for data at all times when the browser is open, the locker closes the browser altogether, and then does the stealing. Once the information from the locker s web forms is sent, the malware remains inactive and does not carry out any other malicious activity on the PC, allowing the user to regain control. CONCLUSION It is rather interesting to see Trojans of this type, which are considered very basic when compared to most banking Trojans in the wild. It is even more interesting to see them appearing in geographies where banking security is considered to be very advanced. This phenomenon may be linked with the trend towards privatization of banking Trojans. This has created a barrier for many cybercriminals as they are denied access to purchase more advanced malware kits to launch attacks. This could be perhaps be pushing some cybercriminals to write and deploy simple malicious codes that will at least get their dirty work done. page 2

4 a Australia South Korea South Africa 3% Italy 3% Germany UK Top Countries by Attack Volume The U.S. remained the country most attacked by phishing in July, targeted by 58% of total phishing volume. Germany endured the second highest volume of phishing at 9%, followed by the UK at 8%. India, France,, South Africa and Italy were collectively targeted by of phishing volume. France 3% 3% India 3% United Kingdom 8% Germany 9% U.S. 58% 48 Other Countries 10% a US S Africa Italy 4% Netherlands India Brasil Top Countries by Attacked Brands U.S. brands were once again most affected by phishing in July, targeted by 28% of phishing attacks. Brands in the UK, India, Italy and together endured onequarter of phishing attack volume. Australia 5% India 6% Italy 4% 51 Other Countries 47% United Kingdom 11% U.S. 28% US S Africa France 3% Italy Netherlands 4% Netherlands India Brasil Top Hosting Countries The U.S. remained the top hosting country in July with 45% of global phishing attacks hosted within the country, followed by, Germany, and the UK. To date, RSA has worked with more than 15,300 hosting entities around the world to shut down cyber attacks. United Kingdom 4% Germany 5% 6% U.S. 45% 62 Other Countries 33% page 4

5 CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller or visit us at EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. AUG RPT 0813

EMAIL ACCOUNT TAKEOVER TO IDENTITY TAKEOVER March 2013 Phishing attacks are notorious for their potential harm to online banking and credit card users who may fall prey to phishers looking to steal information

PHISHING IN SEASON TAX TIME MALWARE, PHISHING AND FRAUD April 2013 As cybercriminals will have it, phishing attacks are quite the seasonal trend. It seems that every April, after showing a slight decline

MALWARE TOOLS FOR SALE ON THE OPEN WEB May 2014 RSA Research, while investigating a Zeus Trojan sample, discovered an additional drop server used by a fraudster who is offering a set of spyware tools for

CITADEL TROJAN OUTGROWING ITS ZEUS ORIGINS May 2012 As of April 30th, 2012 the Citadel Trojan was at its fourth upgrade with Version 1.3.4.0 already in the hands of its customers. Citadel s features, bug

DNS POISONING, AKA PHARMING, MAKES THE HEADLINES IN NOVEMBER S NEWS December 2011 November saw DNS Poisoning, aka Pharming, making the headlines on more than one occasion: To name a few, the online threat

BEHIND THE SCENES OF A FAKE TOKEN MOBILE APP OPERATION December 2013 In the last few years, we have seen the mobile space explode with malware. According to a recent report by Trend Micro, the number of

AT&T Global Network Client for Windows Product Support Matrix January 29, 2015 Product Support Matrix Following is the Product Support Matrix for the AT&T Global Network Client. See the AT&T Global Network

Who Is Fighting Phishing An Overview of the Phishing Lifecycle and the Entities Involved White Paper Who Is Fighting Phishing An Overview of the Phishing Lifecycle and the Entities Involved Contents Introduction

DATASHEET Protect Your Business and Customers from Online Fraud What s Inside 2 WebSafe 5 F5 Global Services 5 More Information Online services allow your company to have a global presence and to conveniently

Defeating cybercriminals Protecting online banking clients in a rapidly evolving online environment The threat As the pace of technological change accelerates, so does the resourcefulness and ingenuity

Phishing Activity Trends Report for the Month of, 27 Summarization of Report Findings The number of phishing reports received by the (APWG) came to 23,61 in, a drop of over 6, from January s previous record

INTELLIGENCE DRIVEN FRAUD PREVENTION OVERVIEW If you were in business 15 years ago, the term cybercrime was just hitting the mainstream and cyber criminals were transitioning from showing off technical

Phishing Activity Trends Report for the Month of December, 2007 Summarization of December Report Findings The total number of unique phishing reports submitted to APWG in December 2007 was 25,683, a decrease

BEST SECURITY PRACTICES IN ONLINE BANKING PLATFORMS TABLE OF CONTENTS BEST SECURITY PRACTICES Home banking platforms have been implemented as an ever more efficient 1 channel through for banking transactions.

Phishing Activity Trends Report, 26 Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account

White paper Phishing, Vishing and Smishing: Old Threats Present New Risks How much do you really know about phishing, vishing and smishing? Phishing, vishing, and smishing are not new threats. They have

Guidelines for E-mail Account Management and Effective E-mail Usage October 2014 Version 1.0 Department of Electronics and Information Technology Ministry of Communications and Information Technology Government

Global @dvisor The Economic Pulse of the World Citizens in 25 Countries Assess the Current State of their Country s Economy for a Total Global Perspective 1 A Global @dvisory December 2016 G@89 The Economic

Anti-Phishing Best Practices for ISPs and Mailbox Providers Version 2.01, June 2015 A document jointly produced by the Messaging, Malware and Mobile Anti-Abuse Working Group (M 3 AAWG) and the Anti-Phishing

Spyware Doctor Enterprise Technical Data Sheet The Best of Breed Anti-Spyware Solution for Businesses Spyware Doctor Enterprise builds on the strength of the industry-leading and multi award-winning Spyware

KASPERSKY FRAUD PREVENTION PLATFORM COVERING ONLINE AND MOBILE BANKING RISKS ONLINE PAYMENTS ARE VERY POPULAR BUT NOT SECURE of people regularly use online banking, online shopping or 98% e-payment services

Global @dvisor The Economic Pulse of the World Citizens in 25 Countries Assess the Current State of their Country s Economy for a Total Global Perspective The Economic Pulse These are the findings of the

Reviewer s Guide Kaspersky Internet Security for Mac 1 Protection for Mac OS X The main window shows all key features such as Scan, Update, Safe Money, and Parental Control in a single place. The current

How to easily clean an infected computer (Malware Removal Guide) Malware, short for malicious (or malevolent) software, is software used or programmed by attackers to disrupt computer operation, gather

1 Browser Settings for Optimal Site Performance With the constant upgrades to browsers and to City National s systems, an occasional problem may develop with your browser and our program compatibility.

BOTNETS Douwe Leguit, Manager Knowledge Center GOVCERT.NL Agenda Bots: what is it What is its habitat How does it spread What are its habits Dutch cases Ongoing developments Visibility of malware vs malicious

Global @dvisor The Economic Pulse of the World Citizens in 24 Countries Assess the Current State of their Country s Economy for a Total Global Perspective The Economic Pulse These are the findings of the

Detecting Remote Access (RAT) Attacks on Online Banking Sites A BioCatch White Paper Document Overview Remote Access Tools (RATs) allow an attacker to take control over a desktop and use it remotely, opening

1 st Half 2009 Committed to Wiping Out Internet Scams and Fraud January June 2009 Phishing Report Scope The quarterly APWG analyzes phishing attacks reported to the APWG by its member companies, its Global

Universal Banking Solution System Integration Consulting Business Process Outsourcing Banking on Internet and mobile is gaining popularity The Pew Internet & American Life Project Tracking survey of December

ONLINE IDENTITY THEFT KEEP YOURSELF SAFE FROM BESTPRACTICES 01 One must remember that everyone and anyone is a potential target. These cybercriminals and attackers often use different tactics to lure different

1 st Half 2011 Unifying the Global Response To Cybercrime January June 2011 Phishing Report Scope The APWG analyzes phishing attacks reported to the APWG by its member companies, its Global Research Partners,

ROOTKIT stealthy software with root/administrator privileges aims to modify the operation of the OS in order to facilitate a nonstandard or unauthorized functions unlike virus, rootkit s goal is not to

ONLINE AND MOBILE BANKING THREATS ONLINE PAYMENTS ARE VERY POPULAR BUT NOT SECURE of respondents regularly use online banking, online shopping or e- 98% payment services of users have concerns about 59%

Spyware: Securing gateway and endpoint against data theft The explosion in spyware has presented businesses with increasing concerns about security issues, from data theft and network damage to reputation